Admission control in a communication network amounts to the decision of admitting a particular subscriber/user into the system or not every time that subscriber/user wants to connect to the network and use network's resources. The traditional admission control policies typically address authorization, authentication, and quality of service issues in their decision processes.
Security risks arise due to several facts such as: subscriber's private information can be compromised, subscriber devices are compromised and are used to launch attack on others by spreading malware, many subscriber devices together form a botnet to launch distributed denial of service attacks on the network itself and/or on other network users, mainly businesses, etc. The damages can be measured both in monetary and network performance terms. The network performance can be measured as the disconnectivity incurred inside the network or at the edge links of the network that connects businesses and users to the communication network, e.g., Internet.
Cyber insurance was first proposed as a method for mitigating the residual risk in the Internet in 2000. The cyber insurance policy was offered through a partnership of two companies: security company Counterpane and insurance company Lloyd's of London.
There are a number of problems that arise in this field, which are analogous with the auto and health insurance markets. Others have stated that, just like other successful insurance markets, the cyber insurance market will be developed over time in a response to experience and result in well-functioning insurance markets.
An analysis of the impact of insurance and self-investment in user-user interactions has been developed. This analysis indicates that protection against attacks involves four different responses: 1) avoid the risk, 2) absorb the risk, 3) self-protect to mitigate the risk, and 4) transfer the risk through insurance or hedging. The analysis starts with a utility function model of the interplay between insurance and self protection in the single agent case. Depending on the costs of self protection and insurance versus the probability and perceived loss from attack, users are motivated to either insure and seek self-protection, not insure and seek self-protection, or absorb the risk by not protecting. The analysis then extends this model to multiple agents and examines the effects of moral hazard (the tendency of people to engage in more risky actions when they believe their losses will be compensated). This multi-agent model also considers the interactions between self-protection in different individuals, where the decision of one individual to self-protect affects the losses of others in the case of attack. The analysis applies this analysis to two different kinds of networks, a full mesh and a star network very similar to the Internet's power law network form. They observe a threshold phenomenon, in which the reduced premiums for self-protection for insured users cause a small portion of the population to invest in self-protection, which ultimately causes all users to self-protect.
Others have assumed that the security risk of each player in the network depends on a linear combination of investments of all users in the network and have shown that the Price of Anarchy (POA) is very large in the one-shot game and increases with the number of players. In the repeated game, it is possible to achieve social optimum if it doesn't interfere with individual rationality. However, implementing this strategy in a repeated game requires cooperation and communication among the players. This can be achieved either in an environment where all players cooperate or when a social planner that ensures certain level of investments by all users is used.
The applicability of the existing insurance schemes in the current Internet has been explored. Using standard insurance models, whether business models based on cyber insurance schemes that utilize such insurance models can survive in the competitive insurance market have been analyzed. After taking into account information asymmetry (before contract signing) and hidden information (after contract signing), it would appear that no policy that is based on the current insurance models can survive in the competitive market. Therefore, different Internet architecture must be adopted for mitigating and/or eliminating this information asymmetry.